This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 33%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have the following messages coming in thick and fast - 15 emails so far in the last 15 minutes - I can't see anything added ? do we have as security issue ?
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Adrian
Thank you for reaching out to Microsoft Q&A.
It looks like those 15 emails in 15 minutes are PIM “Role assigned outside of PIM” security alerts firing on your Purview Workload Content Administrator assignments. By design, whenever someone (or something) assigns a privileged role outside of PIM’s just-in-time workflow, PIM will send an email to your Privileged Role Admins, Security Admins and Global Admins if that alert is enabled.
Here’s how you can investigate and tame the noise:
Hope that helps you pinpoint who or what is doing the assignment, clean up any unwanted grants, and stop the flood of alerts!
References
• Configure security alerts for roles in PIM: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts
• View audit history in PIM: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log
• Assign Azure resource roles in PIM: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles
• Manage roles you can’t manage in PIM: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-roles
If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks I did some digging more to be done, as I haven't done much with Entra I will go throuugh the audit logs also as suggested as well but it appears that it was due to that account not being used as it is a backup account for the global admin, i couldn't see anything obvious and found an entry which said something along those lines but wasn't able to see additions, appreciate the detailed resonse.
Answer accepted by question author
Ignore them, most tenants using Purview and PIM have received the same. It's indeed a "noise" event but nothing to be concerned about. Just Microsoft doing Microsoft things.
thanks - I hit that conclusion after my blood pressure returned to normal, when I couldn't see anything obviously addded, I need to spend some time with entra....
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 12%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
We got this too with actor info being type=application and displayname=PurviewRoleAssignmentMigrator. Can confirm the accounts that got it had RBAC assigned in Purview directly. Assuming this is a Msft assignment moving local purview RBAC to entra roles but wish they would have put this in the service notifications. Please confirm if this assumption is incorrect.
No, never ignore unexpected changed to permissions like this! What an insane thing for an MVP to say. It might not require any action, but it should be checked out and reviewed at a minimum.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 86%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Hello everyone,
To identify the user who assigned the role, you can review the activity logs in Microsoft Entra. Navigate to Microsoft Entra and access Audit Logs within the Monitoring and Health section.
Apply a filter for the activity type "Add member to role" to locate the relevant entries. The results will display detailed records of role assignments.
Additionally, this process relies on standard Microsoft developer tooling and logging capabilities.
The cause is the Microsoft Entra admin roles published last December. My recent blog post covers the current emails: Purview is now assigning workload admin roles in Microsoft Entra
AI answer
Those emails are Privileged Identity Management (PIM) security alerts indicating that the Purview Workload Content Administrator role is being assigned directly in Microsoft Entra ID instead of via PIM. This is treated as a high‑severity event because assignments made outside PIM are not properly monitored and can indicate misuse or an active attack.
What the alert means:
Immediate checks and actions:
Is this a security issue?
If unexpected assignments are found, follow the organization’s incident response process (containment, investigation of audit logs, and verification of admin accounts and automation).
References: